In a key cryptography system, users encrypt messages using a secret session key k and a conventional block cipher function f. The conventional block cipher function may, for example, be the U.S. standard Digital Encryption Scheme (DES) or some variation such as "triple DES".
A transmitting party can encrypt the clear text message m to obtain the cipher text message c according to c=f(k,m). The receiving party can decrypt the message according to m=f.sup.-1 (k,c). In the foregoing, k, m, and c are bit strings. It is assumed that m can be efficiently derived from c if, and only if, k is known, but that k cannot be efficiently derived from c and m.
In general, the session key k is generated by both parties based on information available to both parties at the time of the communication. In many cases, both parties must access information maintained by a trusted central authority (trustee) to generate the common session key k. In other cases, the parties have sufficient information themselves to generate the common session key k at the start of a communication session.
U.S. law enforcement agencies, such as the Federal Bureau of Investigation (FBI), have complained that digital telephony and commercially available cryptography threaten the effectiveness of wire tapping. However, in many respects, digital communication techniques have made wiretapping easier.
Wiretapping is currently expensive. In 1993, the average cost of the installation and monitoring of a tap was $57,256 (see e.g., Administrative Office of the United States Courts, 1993, Report on Applications for Orders Authorizing or Approving the Interception of Wire, Oral, or Electronic Communications ("Wiretap Report"), 1993). There have been about 900 wiretaps ordered per year by state and federal authorities put together, with between 200,000 and 400,000 incriminating conversations recorded annually. The number of non-incriminating conversations recorded each year has increased to over 1.7 million. The non-incriminating conversations are weeded out "by hand" at a cost of time and money, and at a cost of privacy to innocent parties.
Advances in telecommunication technology have a significant effect on wiretapping. Cordless telephony and cellular telephony permit wiretapping without requiring actual physical property invasion of the party to be wiretapped. Programmable switches can obviate the necessity for special hardware for wiretapping. Digital messaging permits automatic sifting of conversations (by destination, content, etc.). Thus, the potential exists for cheaper and more effective use of wiretapping and the consequences for the privacy of citizens must be examined carefully.
The availability of public-key cryptography (e.g., RSA technique, Diffie Hellman technique, Kilian-Leighton technique, Rabin Moduler Square Root technique) and the explosion of public awareness of cryptography in general have put a powerful privacy enhancing tool in the hands of citizens. Conceivably, widespread use of encryption could cripple wiretapping as a law enforcement tool. In an effort to provide an alternative, the White House announced on Apr. 16, 1993 the "Escrowed Encryption Initiative". Subsequently, the National Institute of Standards and Technology (NIST) approved the "Escrowed Encryption Standard ("EES") for telephone systems (see National Institute of Standards and Technology, Federal Information Processing Standards Publication 185, Escrowed Encryption Standard, Feb. 9, 1994, Washington, DC).
The EES (known often by the name of its chip "Clipper") caused an outcry partly from cryptologists who opposed the use of a secret algorithm, and partly from rights advocates opposed to the whole idea of escrowed keys. The secret algorithm (known as SKIPJACK), and its consequent reliance on tamper proof hardware, is certainly unnecessary for an escrow system and various alternatives have been proposed (see e.g. J. Kilian, T. Leighton, "Failsafe Key Escrow," presented at Rump Crypto '94, S. Micali, "Fair Public Key Cryptosystems," Proc. Crypto '92).
The escrow issue itself is more troublesome. As presently constituted, EES calls for individual keys to be split into the hands of two "trustees" (namely, NIST and a branch of the U.S. Treasury Department). These trustees, when served with a proper warrant (e.g., a warrant issued by a court) will each turn their portion of the appropriate key over to the law enforcement authority.
The warrant itself will contain the usual limitations on target, content, and time interval (e.g., a specified 30-day period), but these limitations do not apply to the key. Instead, the law enforcement authority is supposed to "return" the key to the trustees at the expiration of the warrant period. However, non-compliance with this procedure does not provide the basis for a motion in a court to suppress the electronic surveillance evidence (see e.g., National Institute of Standards and Technology, Federal Information Processing Standards Publication 185, Escrowed Encryption Standard, Feb. 9, 1994, Washington, DC). From a practical point of view, it will always be difficult to prove that a law enforcement authority does, or does not, have possession of a particular key.
In effect, if citizens a and b give law enforcement authorities reason to believe they have or will use the telephone to commit a crime, each of them gives up his or her "cryptographic rights" for all time--past, present, and future. Such a concession may be viewed as excessive, even if one believes the law enforcement authorities have no intention of misusing a key. The automatic sifting of telephone conversations will increasingly tempt the authorities to gather large quantities of data for possible later use, when a key is held.
A key escrow method for use in a telecommunications system to facilitate wiretapping warrants has the following desirable characteristics:
1. Time Boundedness
It is desirable for the courts to enforce the time limits of a warrant by supplying a key that will only be effective for a particular period of time (e.g., a particular set of days).
2. Target Flexibility
It is desirable for the courts to permit either (i) node surveillance in which all communications involving a particular target a can be decrypted, or (ii) edge surveillance in which only communications between parties a and b are decrypted.
3. Non-circumventibility
Preferably, it should be impossible (or very difficult) for a user to unilaterally alter his communication protocol such that he can encrypt communications without exposing himself to decryption by the proper authorities. It is difficult to prevent persons from colluding, because any two parties can always use their own cryptography system, but a key escrow system or another system which provides for warrants should not make this easy.
4. Security
A key escrow method should rely on familiar and tested cryptographic techniques. A key escrow method preferably will avoid techniques that are not proven or do not have at least some built up empirical credibility.
5. Simplicity
The key escrow method should be practical and understandable. In particular, there should not be reliance on repeated contacts between users and trustees. Nor should there be required many round preliminaries between communicating parties. The key escrow system should not provide any impediment for telephone, fax, or e-mail communication. The system should be explicable in outline, if not mathematical form, to lay persons, such as the courts.
It is an object of the present invention to provide a key escrow method for use in a telecommunications system that facilitates warrants for wiretapping but that also has the desirable characteristics identified above.